Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Securing information systems is a very broad topic. Monitoring and auditing these systems, and in particular the activities of users, is just one important aspect of securing our corporate IT environments.

In July of this year, Microsoft announced some new capabilities around this within Office 365 – these are new Activity Monitoring and Reporting features. These capabilities are designed to help organizations that are continually facing challenges with security, privacy and compliance. In running and supporting the Office 365 service themselves, Microsoft has found that that they're capturing large amounts of data on which activities end users and administrators are performing. They typically refer to this data as telemetry, and they've built great mechanisms into Office 365 to allow them to efficiently capture (and now share) this telemetry data.

These new capabilities provide greater visibility for administrators, and ultimately compliance and risk officers, into the actions taken by users on corporate content. They also allow us to apply greater access control over data, and if needed, they give us the capability to now investigate (at a very detailed level) user actions that might be against corporate or regulatory policies.

Why is Monitoring Activity and Auditing our Systems Important?

Monitoring user activity and auditing our information systems is important for many reasons.

Regulatory Compliance

Regulatory compliance requirements are one key driver. For example, many financial institutions often deal with MNPI, or Material Non-Public Information. Generally, this is information that’s not distributed to the public that an investor would likely consider important in making an investment decision. Many institutions must put up Compliance walls to ensure that specific aspects of the business don’t communicate with each - this helps to avoid conflicts of interest and helps to ensure that they don’t inappropriately exchange MNPI.

In particular, this is required in institutions which have both a corporate-advisory unit and a brokering unit, in order to separate those people giving corporate advice on takeovers from those advising clients about buying shares. The wall is thrown up to prevent leaks of internal corporate information, which could influence the advice given to clients making investments

Detailed monitoring and auditing of user activity allows us to have a detailed view into which users are accessing sensitive content along who they’re sharing it with, and it provide assurances that our regulatory compliance obligations around in these business scenarios are being met.

Investigating Data Breaches

We've heard a lot about data breaches in recent years. Data breaches can be small or they can be very large. They can be malicious or they can be accidental. As well, data breaches can be caused by external actors like cyber criminals, or by insiders like system administrators or employees with broad levels of access. Generally, we tend to see data breaches caused more often by external actors, but we see data breaches by insiders to involve larger quantities of data or more significant data. When data breaches do occur, it’s important for organizations to investigate and find the root cause so that they can both measure the scale of a breach (ie. how much data was leaked) but also to put in place measures to prevent these breaches in the future.

When data breaches occur as a result of an insider threat, monitoring user activity at a detailed level allows us to perform investigations and root cause analysis to determine exactly who accessed data, when was it accessed and which actions were taken on that data - like who it was shared with.

Audit Access to Sensitive Information

In many organizations it’s important to audit the current access controls in place for sensitive content. This is sometimes referred to re-certifying permissions, or getting data owners to review and sign off that permissions are accurately set for data that they are responsible for. In large organizations with large diverse information systems it can be really difficult to identify who is responsible for different data repositories.

Monitoring user activity at a detailed level allows us to gain insight into who is accessing data on a regular basis, along with the level of access that they have. This can greatly help us in identifying data owners to ultimately review and re-certify permissions.

Office 365 Activity Monitoring and Reporting

The new activity monitoring and reporting capabilities include:

Office 365 Activity Report (built into the Office 365 experience)

Comprehensive Event Logging

Search PowerShell Cmdlet

Management Activity API (in preview)

1. Office 365 Activity Report

You can use the Office 365 activity report to view detailed user and administrator activity in your tenant. It contains data across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory. You can use this report to search and investigate user activities by searching for a user, a file or folder or even a site. You can filter based on a date range or type of activity. And within the report window you can view details of each activity in the Details Pane. The report is available to run on demand as needed.

When you find what you're looking for, you can either review activities and details right within this window or you can download the list of activities to a CSV file.

With each event captured there are up to 37 different properties logged. Not all properties apply to all Office 365 services. Some only apply to SharePoint Online and OneDrive for Business, whereas others only apply to Exchange. The list of properties captured is shown here, with my favorites highlighted in red – my favorites are data like:

Actor - The user that performed the action; can be a service principle

ClientIP - The IP address of the device that was used when the activity was logged. The IP address can be either IPv4 or IPv6.

EventSource – Identifies that an event occurred in SharePoint, OneDrive for Business or the ObjectModel.

LogonType – Applies to Exchange only; this is the type of user who accessed an Exchange mailbox: mailbox owner, administrator, delegate, the Exchange Transport Service, a service account or a delegated administrator.

Subject – Applies to Exchange only; this is the subject line of the message that was accessed.

UserSharedWith – The user that a resource was shared with.

UserType - The type of user that performed the operation: a regular user, an administrator in your Office 365 tenant or a Microsoft data center administrator.

In order to enable the Activity Report and make it really useful, events related to user and administrator activities are logged as users work across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory.

Currently there are over 150 events that are logged, and these are divided into 9 categories:

Exchange admin events

Exchange mailbox events

File and folder events (SharePoint and OneDrive for Business)

Invitation and access request events (SharePoint and OneDrive for Business)

The events logged are diverse and very comprehensive, with Microsoft continually working to log more events. When it comes to investigating data leaks, this gives administrators very detailed investigation capabilities to determine how leaks occur and how to prevent them.

3. Search Powershell Cmdlet

You can also search for events in the activity logs that we’ve been looking at using Powershell. This is a new Powershell cmdlet to search all the event logs based on date range, the user who performed an action, the type of action, or the target object.

With this capability we can script our searches of the event logs. We can also have these searches output the results to a file. And ultimately, this can allow us to schedule our reports to occur automatically on a regular basis so that administrators or infosec people can get insight into specific activities either every morning, every week or whenever the business schedule demands.

4. Management Activity API (in limited preview)

The final capability provided with this release is a new Management Activity API, which allows developers to integrate Office 365 activity and event data with either internal tools or with 3rd party monitoring and reporting solutions.

This API is in limited preview now, and during the preview anyone can use the API, but only those registered with Microsoft will be able to actually retrieve data from Office 365.

Actions and events are stored in content blobs in a database, and they are gathered across multiple servers and datacenters. As a result of this distributed collection process, the actions and events contained in the content blobs will not necessarily appear in the order in which they occurred. One content blob could contain actions and events that occurred prior to the actions and events contained in an earlier content blob.

No comments:

Post a Comment

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.